How to set up Digital Operational Resilience Management (DORM) on the Now Platform 

ServiceNow’s new Digital Operational Resilience Management app enables customers to manage their activities associated with new operational resilience regulations such as the EU Digital Operational Resilience Act (DORA).

 

(A PDF version is available below.)

 

An Integrated Risk Management (IRM) Pro or Third-Party Risk Management (TPRM) license is mandatory to download these applications from the store.

·       IRM Pro users – The solution is available in the Operational Resilience workspace.

·       TPRM users – The solution is available in the Vendor/Third Party Risk Management workspace.

 

Two applications must be installed:

·       Digital Operational Resilience Management – Setup of the tables for data and reporting purposes.

·       Digital Operational Resilience – Third Party Information Register – The Register Information setup and reporting template are mandated by the European Supervisory Authorities (ESA).

 

The solution is structured in the following order:

·       Legal Entities

·       Branches

·       Functions

·       Third Parties

·       Third-Party Engagement (Full functionality is available for TPRM users.)

·       Supply Chains (for rank identification)

·       Assessments

·       Contracts

·       Excel download/request

 

Additional tabs are introduced on the following applications:

·       Legal Entities – Legal Entity Tab

·       Third Parties – Digital Resilience Information

·       Third-Party Engagement – Digital Resilience Information

·       Contracts – Digital Resilience Information

 

If these tabs are not visible on the record form, please perform the following actions:

1.     Click on the record in question.

2.     On the record form, go the picture at the top right-hand side of the form.

3.     Expand Configure page from the drop-down list.

4.     Choose Related list.

5.     On the related list view, select Edit this view in common vendor core.

6.     Look up the following fields for each respective application as follows. Click save after each action.

a.    Legal Entity – Double click on the Legal entity -> Third Party field in the list

b.    Third Parties – Double click on the ICT Third-Party service Provider -> Third Party field in the list

c.     Third Party engagement – Double click on the ICT Third Party service provider -> Third Party engagement field in the list

d.    Contracts – Double click on the Contractual arrangement -> Contractual arrangement field in the list

These fields should now be visible on the record form.

 

Data Input

ServiceNow provides multiple ways to input data:

·       APIs (available on the ServiceNow Platform)

·       Microsoft Excel import

·       Manual input

 

Microsoft Excel Import

Navigate to Excel download/upload request, create a new record, and choose upload to start the data upload process for that regulation.

 

Manual Input

1.     Navigate to the Legal Entities table. Either click on an existing record or create a new one. With the record opened, navigate to the Legal Entity tab, then create and save a new entry. Additional tabs such as branches and functions start to populate the screen.

2.     Enter the Branches information through the legal entity record or through the Branches table entry in the workspace.

3.     Create Functions records through the legal entity record or through the Functions table entry in the workspace.

4.     Update the Third-Party record in the system and tag the critical third parties necessary for the delivery of the Information and Communication Technology (ICT) services. This is done in the Digital resilience information tab.

5.     Update the Third-Party record in the system and tag the critical third parties that deliver the ICT services parties via the Digital resilience information tab.

·       Alternatively, create a new third-party record via the workspace available through license entitlement and enter the required DORA-related information via the Digital resilience information tab.

6.     Update the Third-Party Engagement record and tag the ICT services that deliver the critical third parties via the Digital resilience information tab.

·       Alternatively, create a new third-party record via license entitlement and enter the required DORA-related information via the Digital resilience information tab.

7.     Create a Supply Chain trail of the delivery of ICT services. In the workspace, click on new, then create the supply chain record by adding the data as required for regulatory reporting, including any subcontracting.

8.     Click on Assessments, where ICT service data is captured for reporting, then upload/create a record that captures that data.

9.     Update the Contracts record in the Digital resilience information tab with the required data for regulatory reporting.

·       Alternatively, create a new Contracts record via license entitlement and enter the required DORA-related information via the Digital resilience information tab.

10.  Check that these areas have been set up and populated:

·       Legal Entity - LEI data is populated

·       Third Party - LEI data is populated

·       Supply Chains - Built in the related application/table

·       ICT service assessments - Uploaded and created

 

11.  Verify that the Contracts record has all the relevant data for the final report download.

12.  Select Excel Export, navigate to Excel download/upload request, and create a new record. Instructions will guide you on how to download the relevant data for reporting to local and European regulators.

 

For more information, consult ServiceNow Product Documentation.